Im working on a rpg game and i have a problem, storing player data.I was thinking about storing save games in plain text files within the jar or in directories placed near the jar file, but that would be really easy for the player to modify, which will make the game less challenging and less fun. I have been thinking about serelization as well, but i don't know anything about serelization and it seems awfully complicated. Is there any other alternatives?

Just remember that the code you put on the client to decrypt the file is super easy to break so just do something that's simple enough for you to create while stopping the really basic attempts to alter the file. Don't expect to build a flawless system and just accept that if someone really wants to, they can cheat.

Ya that's definitely true, you could just have an encryption algorithm that deters casual players, but people who know what there doing would probably be able to cheat. I also had the idea for creating one that changes for every user, or for every save of the user. So like if your user names their character then you could use that name to build a key. Not sure how well that would work though. Maybe if you used a Random object, and the name of the saved character (converted to an integer) as a seed then you could create a random key based off the name that could be reproduced by your program. Even with that though someone could probably decrypt it and cheat. Just a thought though.

yeah, its a great idea, but the problem is, that anything the program can do, the player can decompile it and do. So any encryption key you have will be compromised .

That's why I was trying to come up with a way to NOT hard code the encryption key into the game. Although with the idea I posted above, if someone knew the name of their character and the process used to create the key (and thanks to being able to decompile bytecode this wouldn't be hard to figure out) they could probably decrypt the file. It really sucks that Java bytecode can be decompiled so easily >_<.

I've seen a few jar2exe converters around the web I have never actually used one though. Part of the problem most of them are paid. I've also looked at obfuscation but most are paid, and I really don't need either of them right now. It really isn't that big of a deal for me because I really don't know enough about game programming to make a game that I would release for free or as a product. People releasing games would probably want to look into it though (If the game is written in Java that is, AFAIK other languages don't have this problem since they're compiled into machine code).

Just remember that the code you put on the client to decrypt the file is super easy to break so just do something that's simple enough for you to create while stopping the really basic attempts to alter the file. Don't expect to build a flawless system and just accept that if someone really wants to, they can cheat.

Mike

That's some pretty good advise.

It probably couldn't hurt to try some simple methods of encoding, then see how effective they are by trying to get friends or community members to see what they are able to do with it. You can't know how secure something is until you have tried to break it.

Also you mentioned Serialization being hard, what's so hard about it? Make the classes you want to save implement Serializable then just create an ObjectOutputStream that wraps around a FileOutputStream. To read it back in, wrap a ObjectInputStream around a FileInputStream.

Oh also I forgot to mention, I wouldn't use the .txt extension on the game save files. It seems to me like someone cheating would go for the easy stuff first, and it doesn't get much easier than opening a .txt file in a text editing program.

1. Store key for encryption online that way the cheater can't decode the key unless he connect to your server.

2. Add MD5 checksum over all the text file so someone can't change something without changing the checksum too (well he could always generate a new checksum and replace the old one) (Is it long to generate MD5 checksum?)

3. Add +1 to the ASCII code of every character (that make it unreadable) (character = dibsbdufs)

Im working on a rpg game and i have a problem, storing player data.I was thinking about storing save games in plain text files within the jar or in directories placed near the jar file, but that would be really easy for the player to modify, which will make the game less challenging and less fun. I have been thinking about serelization as well, but i don't know anything about serelization and it seems awfully complicated. Is there any other alternatives?

Sign the jar, and save the game state as a class using ObjectWeb ASM (or some other class modifying library). Replace the game state class file within the JAR, and generate a new checksum for the file. Save the checksum into MANIFEST.MF. When they try to modify the saved game state (which I doubt many could), save it and then try to run it again, the JVM will crash as the checksum for the class doesn't match. For extra security, check manifest.mf when the game starts and do a file integrity check on each file in the JAR file against the entries in the manifest. This will also ensure that people can't just remove the signing on the jar.

Alternatively, just use XML or OOS to save the state, and use JCE (DES, AES256, etc) to encrypt the data using a key generated with some special data, eg last modified time of the executing jar, OS type, etc

Nice post Dx4 but it'll still be possible to backwards engineer and change the save file.

The question you need to ask yourself is:Who do I want to protect the save file from (regular joe/advanced joe/junior programmers/senior programmers)?

As long as you are fine with just protecting it from most people, spend an hour on making something like outputting a gzip of the data to the file or write a serialized object. If you want to protect it against everyone just accept that it won't be possible and spend as much time on it as you can spare. In my opinion that would be no time at all as it's more imporatnt to have a fun game than a good save system If it is a problem that people are changing your save files then see it positively, someone is playing your game!)

Nice post Dx4 but it'll still be possible to backwards engineer and change the save file.

obviously, people who want to hack your game and are dedicated enough WILL be able to, it's impossible to protect it from everyone, but with what I wrote above when mixed with some fancy obfuscation will prove to be a very burdensome task to reverse engineer and change.

Also you mentioned Serialization being hard, what's so hard about it? Make the classes you want to save implement Serializable then just create an ObjectOutputStream that wraps around a FileOutputStream. To read it back in, wrap a ObjectInputStream around a FileInputStream.

This.

You don't even have to use Serializable, I just use ObjectOutputStream / Input. (Of course you do, mixed something up, sry =P)

Or just not worry about it. I actually prefer games where I can easy modify stuff - I generally play through normally first and then go crazy with cheating a second time. It's fun to do. Let players make their choice and just give the file a different extension so that text editors won't automatically open it. Most players won't bother looking into the save files.

Hi, i have the same question, what is the best method to store something offline on a local machine? i mean the classic savegame, or just a character data sheet, without using online methods and obviously without storing it on a .txt file. Should i create a file with custom extension? or the is a way to have a local DB?

It depends on how far you want to go. If it's a single-player game, and not online, why should players not be able to altar their save files? Does it harm the game, for you?If you just save the information in a file, but use a binary format instead, humans wont be able to read it. However, no matter how much you encrypt and zip the files, you'll at some point need to de-serialize it, and there's nothing stopping people from decompiling your source code and looking how you're doing it. If you can do it locally, so can they.

java-gaming.org is not responsible for the content posted by its members, including references to external websites,
and other references that may or may not have a relation with our primarily
gaming and game production oriented community.
inquiries and complaints can be sent via email to the info‑account of the
company managing the website of java‑gaming.org